1 /* $OpenBSD: ip_spd.c,v 1.102 2020/06/24 22:03:43 cheloha Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) 4 * 5 * Copyright (c) 2000-2001 Angelos D. Keromytis. 6 * 7 * Permission to use, copy, and modify this software with or without fee 8 * is hereby granted, provided that this entire notice is included in 9 * all copies of any software which is or includes a copy or 10 * modification of this software. 11 * You may use this code under the GNU public license if you so wish. Please 12 * contribute changes back to the authors under this freer than GPL license 13 * so that we may further the use of strong encryption without limitations to 14 * all. 15 * 16 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 17 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 18 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 19 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 20 * PURPOSE. 21 */ 22 23 #include <sys/param.h> 24 #include <sys/systm.h> 25 #include <sys/mbuf.h> 26 #include <sys/socket.h> 27 #include <sys/kernel.h> 28 #include <sys/socketvar.h> 29 #include <sys/domain.h> 30 #include <sys/protosw.h> 31 #include <sys/pool.h> 32 #include <sys/timeout.h> 33 34 #include <net/route.h> 35 #include <net/netisr.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip.h> 39 #include <netinet/ip_var.h> 40 #include <netinet/in_pcb.h> 41 #include <netinet/ip_ipsp.h> 42 #include <net/pfkeyv2.h> 43 44 int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, 45 union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); 46 struct ipsec_acquire *ipsp_pending_acquire(struct ipsec_policy *, 47 union sockaddr_union *); 48 void ipsp_delete_acquire_timo(void *); 49 void ipsp_delete_acquire(struct ipsec_acquire *); 50 51 struct pool ipsec_policy_pool; 52 struct pool ipsec_acquire_pool; 53 int ipsec_policy_pool_initialized = 0; 54 55 /* Protected by the NET_LOCK(). */ 56 int ipsec_acquire_pool_initialized = 0; 57 struct radix_node_head **spd_tables; 58 unsigned int spd_table_max; 59 TAILQ_HEAD(ipsec_acquire_head, ipsec_acquire) ipsec_acquire_head = 60 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 61 62 struct radix_node_head * 63 spd_table_get(unsigned int rtableid) 64 { 65 unsigned int rdomain; 66 67 NET_ASSERT_LOCKED(); 68 69 if (spd_tables == NULL) 70 return (NULL); 71 72 rdomain = rtable_l2(rtableid); 73 if (rdomain > spd_table_max) 74 return (NULL); 75 76 return (spd_tables[rdomain]); 77 } 78 79 struct radix_node_head * 80 spd_table_add(unsigned int rtableid) 81 { 82 struct radix_node_head *rnh = NULL; 83 unsigned int rdomain; 84 void *p; 85 86 NET_ASSERT_LOCKED(); 87 88 rdomain = rtable_l2(rtableid); 89 if (spd_tables == NULL || rdomain > spd_table_max) { 90 if ((p = mallocarray(rdomain + 1, sizeof(*rnh), 91 M_RTABLE, M_NOWAIT|M_ZERO)) == NULL) 92 return (NULL); 93 94 if (spd_tables != NULL) { 95 memcpy(p, spd_tables, sizeof(*rnh) * (spd_table_max+1)); 96 free(spd_tables, M_RTABLE, 97 sizeof(*rnh) * (spd_table_max+1)); 98 } 99 spd_tables = p; 100 spd_table_max = rdomain; 101 } 102 103 if (spd_tables[rdomain] == NULL) { 104 if (rn_inithead((void **)&rnh, 105 offsetof(struct sockaddr_encap, sen_type)) == 0) 106 rnh = NULL; 107 spd_tables[rdomain] = rnh; 108 } 109 110 return (spd_tables[rdomain]); 111 } 112 113 int 114 spd_table_walk(unsigned int rtableid, 115 int (*func)(struct ipsec_policy *, void *, unsigned int), void *arg) 116 { 117 struct radix_node_head *rnh; 118 int (*walker)(struct radix_node *, void *, u_int) = (void *)func; 119 int error; 120 121 rnh = spd_table_get(rtableid); 122 if (rnh == NULL) 123 return (0); 124 125 /* EGAIN means the tree changed. */ 126 while ((error = rn_walktree(rnh, walker, arg)) == EAGAIN) 127 continue; 128 129 return (error); 130 } 131 132 /* 133 * Lookup at the SPD based on the headers contained on the mbuf. The second 134 * argument indicates what protocol family the header at the beginning of 135 * the mbuf is. hlen is the offset of the transport protocol header 136 * in the mbuf. 137 * 138 * Return combinations (of return value and in *error): 139 * - NULL/0 -> no IPsec required on packet 140 * - NULL/-EINVAL -> silently drop the packet 141 * - NULL/errno -> drop packet and return error 142 * or a pointer to a TDB (and 0 in *error). 143 * 144 * In the case of incoming flows, only the first three combinations are 145 * returned. 146 */ 147 struct tdb * 148 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, 149 struct tdb *tdbp, struct inpcb *inp, u_int32_t ipsecflowinfo) 150 { 151 struct radix_node_head *rnh; 152 struct radix_node *rn; 153 union sockaddr_union sdst, ssrc; 154 struct sockaddr_encap *ddst, dst; 155 struct ipsec_policy *ipo; 156 struct ipsec_ids *ids = NULL; 157 int signore = 0, dignore = 0; 158 u_int rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); 159 160 NET_ASSERT_LOCKED(); 161 162 /* 163 * If there are no flows in place, there's no point 164 * continuing with the SPD lookup. 165 */ 166 if (!ipsec_in_use && inp == NULL) { 167 *error = 0; 168 return NULL; 169 } 170 171 /* 172 * If an input packet is destined to a BYPASS socket, just accept it. 173 */ 174 if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) && 175 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 176 (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && 177 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 178 *error = 0; 179 return NULL; 180 } 181 182 memset(&dst, 0, sizeof(dst)); 183 memset(&sdst, 0, sizeof(union sockaddr_union)); 184 memset(&ssrc, 0, sizeof(union sockaddr_union)); 185 ddst = (struct sockaddr_encap *)&dst; 186 ddst->sen_family = PF_KEY; 187 ddst->sen_len = SENT_LEN; 188 189 switch (af) { 190 case AF_INET: 191 if (hlen < sizeof (struct ip) || m->m_pkthdr.len < hlen) { 192 *error = EINVAL; 193 return NULL; 194 } 195 ddst->sen_direction = direction; 196 ddst->sen_type = SENT_IP4; 197 198 m_copydata(m, offsetof(struct ip, ip_src), 199 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_src)); 200 m_copydata(m, offsetof(struct ip, ip_dst), 201 sizeof(struct in_addr), (caddr_t) &(ddst->sen_ip_dst)); 202 m_copydata(m, offsetof(struct ip, ip_p), sizeof(u_int8_t), 203 (caddr_t) &(ddst->sen_proto)); 204 205 sdst.sin.sin_family = ssrc.sin.sin_family = AF_INET; 206 sdst.sin.sin_len = ssrc.sin.sin_len = 207 sizeof(struct sockaddr_in); 208 ssrc.sin.sin_addr = ddst->sen_ip_src; 209 sdst.sin.sin_addr = ddst->sen_ip_dst; 210 211 /* 212 * If TCP/UDP, extract the port numbers to use in the lookup. 213 */ 214 switch (ddst->sen_proto) { 215 case IPPROTO_UDP: 216 case IPPROTO_TCP: 217 /* Make sure there's enough data in the packet. */ 218 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 219 *error = EINVAL; 220 return NULL; 221 } 222 223 /* 224 * Luckily, the offset of the src/dst ports in 225 * both the UDP and TCP headers is the same (first 226 * two 16-bit values in the respective headers), 227 * so we can just copy them. 228 */ 229 m_copydata(m, hlen, sizeof(u_int16_t), 230 (caddr_t) &(ddst->sen_sport)); 231 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 232 (caddr_t) &(ddst->sen_dport)); 233 break; 234 235 default: 236 ddst->sen_sport = 0; 237 ddst->sen_dport = 0; 238 } 239 240 break; 241 242 #ifdef INET6 243 case AF_INET6: 244 if (hlen < sizeof (struct ip6_hdr) || m->m_pkthdr.len < hlen) { 245 *error = EINVAL; 246 return NULL; 247 } 248 ddst->sen_type = SENT_IP6; 249 ddst->sen_ip6_direction = direction; 250 251 m_copydata(m, offsetof(struct ip6_hdr, ip6_src), 252 sizeof(struct in6_addr), 253 (caddr_t) &(ddst->sen_ip6_src)); 254 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 255 sizeof(struct in6_addr), 256 (caddr_t) &(ddst->sen_ip6_dst)); 257 m_copydata(m, offsetof(struct ip6_hdr, ip6_nxt), 258 sizeof(u_int8_t), 259 (caddr_t) &(ddst->sen_ip6_proto)); 260 261 sdst.sin6.sin6_family = ssrc.sin6.sin6_family = AF_INET6; 262 sdst.sin6.sin6_len = ssrc.sin6.sin6_len = 263 sizeof(struct sockaddr_in6); 264 in6_recoverscope(&ssrc.sin6, &ddst->sen_ip6_src); 265 in6_recoverscope(&sdst.sin6, &ddst->sen_ip6_dst); 266 267 /* 268 * If TCP/UDP, extract the port numbers to use in the lookup. 269 */ 270 switch (ddst->sen_ip6_proto) { 271 case IPPROTO_UDP: 272 case IPPROTO_TCP: 273 /* Make sure there's enough data in the packet. */ 274 if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) { 275 *error = EINVAL; 276 return NULL; 277 } 278 279 /* 280 * Luckily, the offset of the src/dst ports in 281 * both the UDP and TCP headers is the same 282 * (first two 16-bit values in the respective 283 * headers), so we can just copy them. 284 */ 285 m_copydata(m, hlen, sizeof(u_int16_t), 286 (caddr_t) &(ddst->sen_ip6_sport)); 287 m_copydata(m, hlen + sizeof(u_int16_t), sizeof(u_int16_t), 288 (caddr_t) &(ddst->sen_ip6_dport)); 289 break; 290 291 default: 292 ddst->sen_ip6_sport = 0; 293 ddst->sen_ip6_dport = 0; 294 } 295 296 break; 297 #endif /* INET6 */ 298 299 default: 300 *error = EAFNOSUPPORT; 301 return NULL; 302 } 303 304 /* Actual SPD lookup. */ 305 if ((rnh = spd_table_get(rdomain)) == NULL || 306 (rn = rn_match((caddr_t)&dst, rnh)) == NULL) { 307 /* 308 * Return whatever the socket requirements are, there are no 309 * system-wide policies. 310 */ 311 *error = 0; 312 return ipsp_spd_inp(m, af, hlen, error, direction, 313 tdbp, inp, NULL); 314 } 315 ipo = (struct ipsec_policy *)rn; 316 317 switch (ipo->ipo_type) { 318 case IPSP_PERMIT: 319 *error = 0; 320 return ipsp_spd_inp(m, af, hlen, error, direction, tdbp, 321 inp, ipo); 322 323 case IPSP_DENY: 324 *error = EHOSTUNREACH; 325 return NULL; 326 327 case IPSP_IPSEC_USE: 328 case IPSP_IPSEC_ACQUIRE: 329 case IPSP_IPSEC_REQUIRE: 330 case IPSP_IPSEC_DONTACQ: 331 /* Nothing more needed here. */ 332 break; 333 334 default: 335 *error = EINVAL; 336 return NULL; 337 } 338 339 /* Check for non-specific destination in the policy. */ 340 switch (ipo->ipo_dst.sa.sa_family) { 341 case AF_INET: 342 if ((ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_ANY) || 343 (ipo->ipo_dst.sin.sin_addr.s_addr == INADDR_BROADCAST)) 344 dignore = 1; 345 break; 346 347 #ifdef INET6 348 case AF_INET6: 349 if ((IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_dst.sin6.sin6_addr)) || 350 (memcmp(&ipo->ipo_dst.sin6.sin6_addr, &in6mask128, 351 sizeof(in6mask128)) == 0)) 352 dignore = 1; 353 break; 354 #endif /* INET6 */ 355 } 356 357 /* Likewise for source. */ 358 switch (ipo->ipo_src.sa.sa_family) { 359 case AF_INET: 360 if (ipo->ipo_src.sin.sin_addr.s_addr == INADDR_ANY) 361 signore = 1; 362 break; 363 364 #ifdef INET6 365 case AF_INET6: 366 if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_src.sin6.sin6_addr)) 367 signore = 1; 368 break; 369 #endif /* INET6 */ 370 } 371 372 /* Do we have a cached entry ? If so, check if it's still valid. */ 373 if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { 374 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 375 ipo_tdb_next); 376 ipo->ipo_tdb = NULL; 377 } 378 379 /* Outgoing packet policy check. */ 380 if (direction == IPSP_DIRECTION_OUT) { 381 /* 382 * If the packet is destined for the policy-specified 383 * gateway/endhost, and the socket has the BYPASS 384 * option set, skip IPsec processing. 385 */ 386 if ((inp != NULL) && 387 (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && 388 (inp->inp_seclevel[SL_ESP_NETWORK] == 389 IPSEC_LEVEL_BYPASS) && 390 (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { 391 /* Direct match. */ 392 if (dignore || 393 !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { 394 *error = 0; 395 return NULL; 396 } 397 } 398 399 if (ipsecflowinfo) 400 ids = ipsp_ids_lookup(ipsecflowinfo); 401 402 /* Check that the cached TDB (if present), is appropriate. */ 403 if (ipo->ipo_tdb) { 404 if ((ipo->ipo_last_searched <= ipsec_last_added) || 405 (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || 406 memcmp(dignore ? &sdst : &ipo->ipo_dst, 407 &ipo->ipo_tdb->tdb_dst, 408 ipo->ipo_tdb->tdb_dst.sa.sa_len)) 409 goto nomatchout; 410 411 if (!ipsp_aux_match(ipo->ipo_tdb, 412 ids ? ids : ipo->ipo_ids, 413 &ipo->ipo_addr, &ipo->ipo_mask)) 414 goto nomatchout; 415 416 /* Cached entry is good. */ 417 *error = 0; 418 return ipsp_spd_inp(m, af, hlen, error, direction, 419 tdbp, inp, ipo); 420 421 nomatchout: 422 /* Cached TDB was not good. */ 423 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 424 ipo_tdb_next); 425 ipo->ipo_tdb = NULL; 426 ipo->ipo_last_searched = 0; 427 } 428 429 /* 430 * If no SA has been added since the last time we did a 431 * lookup, there's no point searching for one. However, if the 432 * destination gateway is left unspecified (or is all-1's), 433 * always lookup since this is a generic-match rule 434 * (otherwise, we can have situations where SAs to some 435 * destinations exist but are not used, possibly leading to an 436 * explosion in the number of acquired SAs). 437 */ 438 if (ipo->ipo_last_searched <= ipsec_last_added) { 439 /* "Touch" the entry. */ 440 if (dignore == 0) 441 ipo->ipo_last_searched = getuptime(); 442 443 /* Find an appropriate SA from the existing ones. */ 444 ipo->ipo_tdb = 445 gettdbbydst(rdomain, 446 dignore ? &sdst : &ipo->ipo_dst, 447 ipo->ipo_sproto, 448 ids ? ids: ipo->ipo_ids, 449 &ipo->ipo_addr, &ipo->ipo_mask); 450 if (ipo->ipo_tdb) { 451 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 452 ipo, ipo_tdb_next); 453 *error = 0; 454 return ipsp_spd_inp(m, af, hlen, error, 455 direction, tdbp, inp, ipo); 456 } 457 } 458 459 /* So, we don't have an SA -- just a policy. */ 460 switch (ipo->ipo_type) { 461 case IPSP_IPSEC_REQUIRE: 462 /* Acquire SA through key management. */ 463 if (ipsp_acquire_sa(ipo, 464 dignore ? &sdst : &ipo->ipo_dst, 465 signore ? NULL : &ipo->ipo_src, ddst, m) != 0) { 466 *error = EACCES; 467 return NULL; 468 } 469 470 /* FALLTHROUGH */ 471 case IPSP_IPSEC_DONTACQ: 472 *error = -EINVAL; /* Silently drop packet. */ 473 return NULL; 474 475 case IPSP_IPSEC_ACQUIRE: 476 /* Acquire SA through key management. */ 477 ipsp_acquire_sa(ipo, dignore ? &sdst : &ipo->ipo_dst, 478 signore ? NULL : &ipo->ipo_src, ddst, NULL); 479 480 /* FALLTHROUGH */ 481 case IPSP_IPSEC_USE: 482 *error = 0; 483 return ipsp_spd_inp(m, af, hlen, error, direction, 484 tdbp, inp, ipo); 485 } 486 } else { /* IPSP_DIRECTION_IN */ 487 if (tdbp != NULL) { 488 /* 489 * Special case for bundled IPcomp/ESP SAs: 490 * 1) only IPcomp flows are loaded into kernel 491 * 2) input processing processes ESP SA first 492 * 3) then optional IPcomp processing happens 493 * 4) we only update m_tag for ESP 494 * => 'tdbp' is always set to ESP SA 495 * => flow has ipo_proto for IPcomp 496 * So if 'tdbp' points to an ESP SA and this 'tdbp' is 497 * bundled with an IPcomp SA, then we replace 'tdbp' 498 * with the IPcomp SA at tdbp->tdb_inext. 499 */ 500 if (ipo->ipo_sproto == IPPROTO_IPCOMP && 501 tdbp->tdb_sproto == IPPROTO_ESP && 502 tdbp->tdb_inext != NULL && 503 tdbp->tdb_inext->tdb_sproto == IPPROTO_IPCOMP) 504 tdbp = tdbp->tdb_inext; 505 506 /* Direct match in the cache. */ 507 if (ipo->ipo_tdb == tdbp) { 508 *error = 0; 509 return ipsp_spd_inp(m, af, hlen, error, 510 direction, tdbp, inp, ipo); 511 } 512 513 if (memcmp(dignore ? &ssrc : &ipo->ipo_dst, 514 &tdbp->tdb_src, tdbp->tdb_src.sa.sa_len) || 515 (ipo->ipo_sproto != tdbp->tdb_sproto)) 516 goto nomatchin; 517 518 /* Match source/dest IDs. */ 519 if (ipo->ipo_ids) 520 if (tdbp->tdb_ids == NULL || 521 !ipsp_ids_match(ipo->ipo_ids, tdbp->tdb_ids)) 522 goto nomatchin; 523 524 /* Add it to the cache. */ 525 if (ipo->ipo_tdb) 526 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, 527 ipo, ipo_tdb_next); 528 ipo->ipo_tdb = tdbp; 529 TAILQ_INSERT_TAIL(&tdbp->tdb_policy_head, ipo, 530 ipo_tdb_next); 531 *error = 0; 532 return ipsp_spd_inp(m, af, hlen, error, direction, 533 tdbp, inp, ipo); 534 535 nomatchin: /* Nothing needed here, falling through */ 536 ; 537 } 538 539 /* Check whether cached entry applies. */ 540 if (ipo->ipo_tdb) { 541 /* 542 * We only need to check that the correct 543 * security protocol and security gateway are 544 * set; IDs will be the same since the cached 545 * entry is linked on this policy. 546 */ 547 if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && 548 !memcmp(&ipo->ipo_tdb->tdb_src, 549 dignore ? &ssrc : &ipo->ipo_dst, 550 ipo->ipo_tdb->tdb_src.sa.sa_len)) 551 goto skipinputsearch; 552 553 /* Not applicable, unlink. */ 554 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 555 ipo_tdb_next); 556 ipo->ipo_last_searched = 0; 557 ipo->ipo_tdb = NULL; 558 } 559 560 /* Find whether there exists an appropriate SA. */ 561 if (ipo->ipo_last_searched <= ipsec_last_added) { 562 if (dignore == 0) 563 ipo->ipo_last_searched = getuptime(); 564 565 ipo->ipo_tdb = 566 gettdbbysrc(rdomain, 567 dignore ? &ssrc : &ipo->ipo_dst, 568 ipo->ipo_sproto, ipo->ipo_ids, 569 &ipo->ipo_addr, &ipo->ipo_mask); 570 if (ipo->ipo_tdb) 571 TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, 572 ipo, ipo_tdb_next); 573 } 574 skipinputsearch: 575 576 switch (ipo->ipo_type) { 577 case IPSP_IPSEC_REQUIRE: 578 /* If appropriate SA exists, don't acquire another. */ 579 if (ipo->ipo_tdb) { 580 *error = -EINVAL; 581 return NULL; 582 } 583 584 /* Acquire SA through key management. */ 585 if ((*error = ipsp_acquire_sa(ipo, 586 dignore ? &ssrc : &ipo->ipo_dst, 587 signore ? NULL : &ipo->ipo_src, ddst, m)) != 0) 588 return NULL; 589 590 /* FALLTHROUGH */ 591 case IPSP_IPSEC_DONTACQ: 592 /* Drop packet. */ 593 *error = -EINVAL; 594 return NULL; 595 596 case IPSP_IPSEC_ACQUIRE: 597 /* If appropriate SA exists, don't acquire another. */ 598 if (ipo->ipo_tdb) { 599 *error = 0; 600 return ipsp_spd_inp(m, af, hlen, error, 601 direction, tdbp, inp, ipo); 602 } 603 604 /* Acquire SA through key management. */ 605 ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst, 606 signore ? NULL : &ipo->ipo_src, ddst, NULL); 607 608 /* FALLTHROUGH */ 609 case IPSP_IPSEC_USE: 610 *error = 0; 611 return ipsp_spd_inp(m, af, hlen, error, direction, 612 tdbp, inp, ipo); 613 } 614 } 615 616 /* Shouldn't ever get this far. */ 617 *error = EINVAL; 618 return NULL; 619 } 620 621 /* 622 * Delete a policy from the SPD. 623 */ 624 int 625 ipsec_delete_policy(struct ipsec_policy *ipo) 626 { 627 struct ipsec_acquire *ipa; 628 struct radix_node_head *rnh; 629 struct radix_node *rn = (struct radix_node *)ipo; 630 int err = 0; 631 632 NET_ASSERT_LOCKED(); 633 634 if (--ipo->ipo_ref_count > 0) 635 return 0; 636 637 /* Delete from SPD. */ 638 if ((rnh = spd_table_get(ipo->ipo_rdomain)) == NULL || 639 rn_delete(&ipo->ipo_addr, &ipo->ipo_mask, rnh, rn) == NULL) 640 return (ESRCH); 641 642 if (ipo->ipo_tdb != NULL) 643 TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, 644 ipo_tdb_next); 645 646 while ((ipa = TAILQ_FIRST(&ipo->ipo_acquires)) != NULL) 647 ipsp_delete_acquire(ipa); 648 649 TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); 650 651 if (ipo->ipo_ids) 652 ipsp_ids_free(ipo->ipo_ids); 653 654 ipsec_in_use--; 655 656 pool_put(&ipsec_policy_pool, ipo); 657 658 return err; 659 } 660 661 void 662 ipsp_delete_acquire_timo(void *v) 663 { 664 struct ipsec_acquire *ipa = v; 665 666 NET_LOCK(); 667 ipsp_delete_acquire(ipa); 668 NET_UNLOCK(); 669 } 670 671 /* 672 * Delete a pending IPsec acquire record. 673 */ 674 void 675 ipsp_delete_acquire(struct ipsec_acquire *ipa) 676 { 677 NET_ASSERT_LOCKED(); 678 679 timeout_del(&ipa->ipa_timeout); 680 TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); 681 if (ipa->ipa_policy != NULL) 682 TAILQ_REMOVE(&ipa->ipa_policy->ipo_acquires, ipa, 683 ipa_ipo_next); 684 pool_put(&ipsec_acquire_pool, ipa); 685 } 686 687 /* 688 * Find out if there's an ACQUIRE pending. 689 * XXX Need a better structure. 690 */ 691 struct ipsec_acquire * 692 ipsp_pending_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw) 693 { 694 struct ipsec_acquire *ipa; 695 696 NET_ASSERT_LOCKED(); 697 698 TAILQ_FOREACH (ipa, &ipo->ipo_acquires, ipa_ipo_next) { 699 if (!memcmp(gw, &ipa->ipa_addr, gw->sa.sa_len)) 700 return ipa; 701 } 702 703 return NULL; 704 } 705 706 /* 707 * Signal key management that we need an SA. 708 * XXX For outgoing policies, we could try to hold on to the mbuf. 709 */ 710 int 711 ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, 712 union sockaddr_union *laddr, struct sockaddr_encap *ddst, struct mbuf *m) 713 { 714 struct ipsec_acquire *ipa; 715 716 NET_ASSERT_LOCKED(); 717 718 /* Check whether request has been made already. */ 719 if ((ipa = ipsp_pending_acquire(ipo, gw)) != NULL) 720 return 0; 721 722 /* Add request in cache and proceed. */ 723 if (ipsec_acquire_pool_initialized == 0) { 724 ipsec_acquire_pool_initialized = 1; 725 pool_init(&ipsec_acquire_pool, sizeof(struct ipsec_acquire), 726 0, IPL_SOFTNET, 0, "ipsec acquire", NULL); 727 } 728 729 ipa = pool_get(&ipsec_acquire_pool, PR_NOWAIT|PR_ZERO); 730 if (ipa == NULL) 731 return ENOMEM; 732 733 ipa->ipa_addr = *gw; 734 735 timeout_set_proc(&ipa->ipa_timeout, ipsp_delete_acquire_timo, ipa); 736 737 ipa->ipa_info.sen_len = ipa->ipa_mask.sen_len = SENT_LEN; 738 ipa->ipa_info.sen_family = ipa->ipa_mask.sen_family = PF_KEY; 739 740 /* Just copy the right information. */ 741 switch (ipo->ipo_addr.sen_type) { 742 case SENT_IP4: 743 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP4; 744 ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; 745 ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; 746 747 if (ipsp_is_unspecified(ipo->ipo_dst)) { 748 ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; 749 ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; 750 751 ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; 752 ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; 753 } else { 754 ipa->ipa_info.sen_ip_src = ipo->ipo_addr.sen_ip_src; 755 ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; 756 757 ipa->ipa_info.sen_ip_dst = ipo->ipo_addr.sen_ip_dst; 758 ipa->ipa_mask.sen_ip_dst = ipo->ipo_mask.sen_ip_dst; 759 } 760 761 ipa->ipa_info.sen_proto = ipo->ipo_addr.sen_proto; 762 ipa->ipa_mask.sen_proto = ipo->ipo_mask.sen_proto; 763 764 if (ipo->ipo_addr.sen_proto) { 765 ipa->ipa_info.sen_sport = ipo->ipo_addr.sen_sport; 766 ipa->ipa_mask.sen_sport = ipo->ipo_mask.sen_sport; 767 768 ipa->ipa_info.sen_dport = ipo->ipo_addr.sen_dport; 769 ipa->ipa_mask.sen_dport = ipo->ipo_mask.sen_dport; 770 } 771 break; 772 773 #ifdef INET6 774 case SENT_IP6: 775 ipa->ipa_info.sen_type = ipa->ipa_mask.sen_type = SENT_IP6; 776 ipa->ipa_info.sen_ip6_direction = 777 ipo->ipo_addr.sen_ip6_direction; 778 ipa->ipa_mask.sen_ip6_direction = 779 ipo->ipo_mask.sen_ip6_direction; 780 781 if (ipsp_is_unspecified(ipo->ipo_dst)) { 782 ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; 783 ipa->ipa_mask.sen_ip6_src = in6mask128; 784 785 ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; 786 ipa->ipa_mask.sen_ip6_dst = in6mask128; 787 } else { 788 ipa->ipa_info.sen_ip6_src = ipo->ipo_addr.sen_ip6_src; 789 ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; 790 791 ipa->ipa_info.sen_ip6_dst = ipo->ipo_addr.sen_ip6_dst; 792 ipa->ipa_mask.sen_ip6_dst = ipo->ipo_mask.sen_ip6_dst; 793 } 794 795 ipa->ipa_info.sen_ip6_proto = ipo->ipo_addr.sen_ip6_proto; 796 ipa->ipa_mask.sen_ip6_proto = ipo->ipo_mask.sen_ip6_proto; 797 798 if (ipo->ipo_mask.sen_ip6_proto) { 799 ipa->ipa_info.sen_ip6_sport = 800 ipo->ipo_addr.sen_ip6_sport; 801 ipa->ipa_mask.sen_ip6_sport = 802 ipo->ipo_mask.sen_ip6_sport; 803 ipa->ipa_info.sen_ip6_dport = 804 ipo->ipo_addr.sen_ip6_dport; 805 ipa->ipa_mask.sen_ip6_dport = 806 ipo->ipo_mask.sen_ip6_dport; 807 } 808 break; 809 #endif /* INET6 */ 810 811 default: 812 pool_put(&ipsec_acquire_pool, ipa); 813 return 0; 814 } 815 816 #ifdef IPSEC 817 timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire); 818 #endif 819 820 TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); 821 TAILQ_INSERT_TAIL(&ipo->ipo_acquires, ipa, ipa_ipo_next); 822 ipa->ipa_policy = ipo; 823 824 /* PF_KEYv2 notification message. */ 825 return pfkeyv2_acquire(ipo, gw, laddr, &ipa->ipa_seq, ddst); 826 } 827 828 /* 829 * Deal with PCB security requirements. 830 */ 831 struct tdb * 832 ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, 833 struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) 834 { 835 /* Sanity check. */ 836 if (inp == NULL) 837 goto justreturn; 838 839 /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */ 840 841 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS && 842 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS && 843 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS) 844 goto justreturn; 845 846 if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL && 847 inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL && 848 inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL) 849 goto justreturn; 850 851 *error = -EINVAL; 852 return NULL; 853 854 justreturn: 855 if (ipo != NULL) 856 return ipo->ipo_tdb; 857 else 858 return NULL; 859 } 860 861 /* 862 * Find a pending ACQUIRE record based on its sequence number. 863 * XXX Need to use a better data structure. 864 */ 865 struct ipsec_acquire * 866 ipsec_get_acquire(u_int32_t seq) 867 { 868 struct ipsec_acquire *ipa; 869 870 NET_ASSERT_LOCKED(); 871 872 TAILQ_FOREACH (ipa, &ipsec_acquire_head, ipa_next) 873 if (ipa->ipa_seq == seq) 874 return ipa; 875 876 return NULL; 877 } 878